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About this Book and the Library 


The Identity Manager Drivers for Null Service and Loopback Service Implementation Guide explains 
how to install, configure, and manage the Identity Manager Drivers for Null Service and Loopback 
Service. Service drivers are used only for Identity Manager engine functions, not for connecting with 
external systems. They are automatically installed when you install Identity Manager. 


Intended Audience 


This guide is intended for Identity Manager administrators, and others who implement the Identity 
Manager drivers for Null Service and Loopback Service. 


Other Information in the Library 


For more information about the library for Identity Manager, see the Identity Manager documentation 
website. 


About this Book and the Library 
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About this Book and the Library 


About NetIQ Corporation 


We are a global, enterprise software company, with a focus on the three persistent challenges in your 
environment: Change, complexity and risk—and how we can help you control them. 


Our Viewpoint 


Adapting to change and managing complexity and risk are nothing new 


In fact, of all the challenges you face, these are perhaps the most prominent variables that deny 
you the control you need to securely measure, monitor, and manage your physical, virtual, and 
cloud computing environments. 

Enabling critical business services, better and faster 


We believe that providing as much control as possible to IT organizations is the only way to 
enable timelier and cost effective delivery of services. Persistent pressures like change and 
complexity will only continue to increase as organizations continue to change and the 
technologies needed to manage them become inherently more complex. 


Our Philosophy 


Selling intelligent solutions, not just software 


In order to provide reliable control, we first make sure we understand the real-world scenarios in 
which IT organizations like yours operate—day in and day out. That's the only way we can 
develop practical, intelligent IT solutions that successfully yield proven, measurable results. And 
that's so much more rewarding than simply selling software. 

Driving your success is our passion 


We place your success at the heart of how we do business. From product inception to 
deployment, we understand that you need IT solutions that work well and integrate seamlessly 
with your existing investments; you need ongoing support and training post-deployment; and you 
need someone that is truly easy to work with—for a change. Ultimately, when you succeed, we 
all succeed. 


Our Solutions 


¢ Identity & Access Governance 

+ Access Management 

+ Security Management 

+ Systems & Application Management 
+ Workload Management 

+ Service Management 
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Contacting Sales Support 


For questions about products, pricing, and capabilities, contact your local partner. If you cannot 
contact your partner, contact our Sales Support team. 


Worldwide: www.netig.com/about_netiq/officelocations.asp 
United States and Canada: 1-888-323-6768 

Email: info@netig.com 

Web Site: www.netig.com 


Contacting Technical Support 


For specific product issues, contact our Technical Support team. 


Worldwide: www.netig.com/support/contactinfo.asp 
North and South America: 1-713-418-5555 

Europe, Middle East, and Africa: +353 (0) 91-782 677 

Email: support@netig.com 

Web Site: www.netiq.com/support 


Contacting Documentation Support 


Our goal is to provide documentation that meets your needs. The documentation for this product is 
available on the NetIQ Web site in HTML and PDF formats on a page that does not require you to log 
in. If you have suggestions for documentation improvements, click Add Comment at the bottom of 
any page in the HTML version of the documentation posted at www.netig.com/documentation. You 
can also email Documentation-Feedback@netiq.com. We value your input and look forward to 
hearing from you. 


Contacting the Online User Community 


NetIQ Communities, the NetIQ online community, is a collaborative network connecting you to your 
peers and NetIQ experts. By providing more immediate information, useful links to helpful resources, 
and access to NetIQ experts, NetIQ Communities helps ensure you are mastering the knowledge you 
need to realize the full potential of IT investments upon which you rely. For more information, visit 
community.netiq.com. 
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Understanding the Null Service and 
Loopback Service Drivers 


NetIQ Identity Manager includes two utility drivers, Null Service and Loopback Service, whose 
purpose is to implement custom behavior through policies established on the drivers’ Subscriber and 
Publisher channels. Like other service drivers such as Entitlement and Workflow, the Null Service and 
Loopback Service drivers do not connect to external applications or systems. 


The Null Service driver performs any tasks that are implemented through policies on the Subscriber 
channel. The Publisher channel is not used; the driver does not connect the Subscriber channel to 
the Publisher channel, but rather acts as a sink for most operations, simulates doing something with 
operations, and then returns success. Typical uses for the Null Service driver include the following: 


+ Adding the classes and attributes that you want to monitor for change in the Subscriber Filter as 
Synchronize for the class and Notify for the attribute. 


+ Adding Subscriber Event Transformation policies that react to specific object or attribute 
changes, and performing actions such as: 


+ Making modifications back into the Identity Vault (using actions that manipulate source 
attributes and objects). 


Y Sending e-mail. 
+ Generating custom Audit events. 
+ Calling extension functions to communicate the change outside of Identity Manager. 
+ Adding a final Subscriber Event Transformation policy that vetoes all events. 
The Null Service driver should be sufficient for the majority of the tasks you want to perform. 
However, if you need to process policies on both the Subscriber and Publisher channels, you can use 
the Loopback Service driver instead. The only difference between the two drivers is that the 


Loopback Service driver’s Subscriber channel connects to the Publisher channel so that events can 
also be processed on the Publisher channel. 


Key Terms 


+ “Identity Manager” on page 10 

+ “Identity Vault” on page 10 

¢ “Identity Manager Engine” on page 10 
+ “Drivers” on page 10 

+ “Driver Shim” on page 10 


+ “Remote Loader” on page 10 
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Identity Manager 


NetIQ Identity Manager is a service that synchronizes data among servers in a set of connected 
systems by using a robust set of configurable policies. Identity Manager uses the Identity Vault to 
store shared information, and uses the Identity Manager engine for policy-based management of the 
information as it changes in the vault or connected system. Identity Manager runs on the server 
where the Identity Vault and the Identity Manager engine are located. 


Identity Vault 


The Identity Vault is a persistent database powered by eDirectory and used by Identity Manager to 
hold data for synchronization with a connected system. You can view the vault as a private data store 
for Identity Manager that holds enterprise-wide data. Data in the vault is available to any protocol 
supported by eDirectory, including the NetWare Core Protocol (NCP), which is the traditional protocol 
used by iManager, LDAP, and DSML. 


Because the Identity Vault is powered by eDirectory, you can easily integrate Identity Manager into 
your corporate directory infrastructure by using your existing directory tree as the vault. 


Identity Manager Engine 


The Identity Manager engine is the core server that implements the event management and policies 
of Identity Manager. The engine runs on the Java Virtual Machine in eDirectory. 


Drivers 


A driver implements a data sharing policy for a connected system. You control the actions of the 
driver using iManager to define the filters and the policy. 


Driver Shim 


A driver shim is the component of a driver that converts the XML-based Identity Manager command 
and event language (XDS) to the protocols and API calls needed to interact with a connected system. 
The shim is called to execute commands on the connected system after the Output Transformation 
runs. Commands are usually generated on the Subscriber channel but can be generated by 
command write-back on the Publisher channel. 


The shim also generates events from the connected system for the Input Transformation policy. A 
driver shim can be implemented either in Java class or as a native Windows DLL file. The shim for 
Loopback Service driver is com.novell.nds.dirxml. driver .loopback.LoopbackDriverShim. 


Remote Loader 


A Remote Loader enables a driver shim to execute outside of the Identity Manager engine (perhaps 
remotely on a different machine). The Remote Loader is typically used when a requirement of the 
driver shim is not met by the Identity Manager server. 


The Remote Loader is a service that executes the driver shim and passes information between the 
shim and the Identity Manager engine. When you use a Remote Loader, you install the driver shim on 
the server where the Remote Loader is running, not on the server where the Identity Manager engine 
is running. You can choose to use SSL to encrypt the connection between the Identity Manager 
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engine and the Remote Loader. For more information, see the Installing Identity Manager in the 
NetlQ Identity Manager Setup Guide for Linux or Installing the Remote Loader in the NetIQ Identity 
Manager Setup Guide for Windows guides. 


Key Driver Features 


¢ “Entitlements” on page 11 
+ “Password Synchronization Support” on page 12 
¢ “Data Synchronization Support” on page 12 


Entitlements 


Entitlements make it easier to integrate Identity Manager with the Identity Manager User Application 
and Role-Based Services in eDirectory. The Loopback Service driver supports custom and 
administrator-defined entitlements with the use of a new entitlement package. This package contains 
the content that allows you to keep the Resource Catalog up-to-date with the user permissions stored 
in the Identity Vault, dynamically create an entitlement and dynamic resource for each permission 
type, and load the permission data as entitlement values into Identity Manager Role-Based 
Provisioning Module. The new functionality is called Permission Collection and Reconciliation 
service. It addresses the challenge of synchronizing changes made to the users in the Identity Vault 
with the Identity Manager Role-Based Provisioning Module. The Permission Collection and 
Reconciliation service allows the driver to automatically provision or deprovision these resources to 
Identity Manager identities based on attribute values consumed during standard Publication channel 
processing. 


The Permission Collection and Reconciliation service automatically creates a dynamic group 
resource and manages user assignments (assign and revoke) in the Role-Based Provisioning 
Module for the Identity Vault groups. For example, if Alex is anew employee and you want to add him 
to a Security group, you can modify the Security group membership attribute using iManager. The 
Resource Administrator can also grant him access to the Security group by assigning him to this 
group resource in the User Application. This group assignment is immediately reflected in the Identity 
Vault. In addition, it allows you to migrate existing group memberships as resource assignments into 
the Role-Based Provisioning Module. 


The Permission Collection and Reconciliation service also allows you to manage permissions of 
identities in the Role-Based Provisioning Module with the use of a CSV file. The driver creates 
dynamic resources for each of the permission types specified during driver creation. You can use 
these permission types to control the assignment of values to the user attributes. For example, if 
Printer is a permission type configured during driver configuration in Designer, the Loopback Service 
driver creates a dynamic resource, Printer_LoopbackServiceDriver for this permission type in the 
User Application. The Identity Vault attribute, Printer Control, that holds values for printers 
available to users, maps to Printer_LoopbackServiceDriver in the User Application. To grant users 
access to a particular printer using iManager, you need set a value for the Printer Control attribute 
for specific users. With this service enabled, this change immediately reflects on the 
Printer_LoopbackServiceDriver resource in the User Application. As a Resource Administrator, if you 
assign or revoke users from Printer_LoopbackServiceDriver in the User Application, this change 
immediately reflects in the Identity Vault. 
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CSV File Format 


The CSV file must contain the Identity Vault permission information in a correct format so that the 
driver reads it correctly from the file. A separate CSV file must be maintained for every custom 
entitlement. For example, a CSV file that holds Printer entitlement details for employees represents 
this information in the following format: 


Printer1, First Floor Printer1, Printer Access for Employees 


where Printer1 is the entitlement value, First Floor Printer is the display name in the User 
Application for the entitlement value Printer1, and Printer Access for Employees is the description for 
the entitlement value. This description is displayed in the User Application. 


You must place the CSV file on the same server as the driver. This file contains the values for Identity 
Vault entitlements. 


The following packages contain the content necessary for Permission Collection and Reconciliation 
service: 


+ NOVLLBACKB_ 2.0.0 (Base Package) 
+ NOVLLBACKENT_2.0.0 (Entitlements Package) 


The Permission Collection and Reconciliation service provides GCVs that you can use to control the 
flow of Identity Vault changes to the User Application. For more information, see “Entitlements” on 
page 38. 


Prerequisites 


Before continuing, ensure that you go through the prerequisites needed for enabling this service. For 
general prerequisites, see “Prerequisites ” in Synchronizing Permission Changes from the Connected 
Systems in the NetIQ Identity Manager Driver Administration Guide. In addition to the general 
prerequisites, ensure that the Loopback Service driver version is 4.0.0.1. 


Also, you need to set up administrative user accounts and configure a password policy for them. For 
more information, see “Setting Up Administrative User Accounts” and “Setting Up Administrative 
Passwords” in the NetIQ Identity Manager Driver Administration Guide. 


To use the Permission Collection and Reconciliation service included in the Loopback Service driver, 
you can either create a new driver with the latest packages or upgrade packages on an existing 
driver. For more information about creating a driver, see “Creating the Driver in Designer” on page 23 
or “Adding Packages to an Existing Driver” on page 20. 


Password Synchronization Support 


The Loopback Service driver does not synchronize passwords. 


Data Synchronization Support 


The Loopback Service driver synchronizes User and Group objects. 
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Default Driver Configuration 


The Loopback Service driver is shipped with packages. You can create the driver in Designer. If your 
requirements for the driver are different from the default policies, you need to modify the default 
policies to do what you want. 


Data Flow 


Data flow between the Loopback Service driver and the Identity Vault is controlled by the filters, 
mappings, and policies that are in place for the Loopback Service driver. 


The driver filter determines which classes and attributes are synchronized between the driver and the 
Identity Vault, and in which direction synchronization takes place. 
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Installing the Driver Files 


By default, the Null Service and Loopback Service driver files are installed on the Identity Manager 
server at the same time as the Identity Manager engine. The installation program extends the Identity 
Vault’s schema and installs the driver shim. It does not create the driver in the Identity Vault (see 
Chapter 3, “Creating a New Null Service Driver Object,” on page 17 or Chapter 4, “Creating a New 
Loopback Service Driver,” on page 23) or upgrade an existing driver’s configuration (see Chapter 5, 
“Upgrading an Existing Driver,” on page 31). 

If you performed a custom installation and did not install the Null Service or the Loopback Service 
driver on the Identity Manager server, you have two options: 


¢ Install the files on the Identity Manager server, using the instructions in Installing Identity 
Manager Engine in the NetIQ Identity Manager Setup Guide for Linux or Installing the Engine, 
Drivers, and ¡Manager Plug-ins in the NetIQ Identity Manager Setup Guide for Windows guides. 


+ Install the Remote Loader (required to run the driver on a non-Identity Manager server) and the 
driver files on a non-Identity Manager server where you want to run the driver. 
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Creating a New Null Service Driver 
Object 


After the Null Service driver files are installed on the server where you want to run the driver (see 
Chapter 2, “Installing the Driver Files,” on page 15), you can create the driver in the Identity Vault. You 
do so by importing the driver packages and then modifying the driver configuration to suit your 
environment. 

+ “Creating the Driver Object in Designer” on page 17 

¢ “Activating the Driver” on page 20 


+ “Adding Packages to an Existing Driver” on page 20 


Creating the Driver Object in Designer 


To create the Null Service driver object, install the driver packages and then modify the configuration 
to suit your environment. After you create and configure the driver object, you need to deploy it to the 
Identity Vault and start it. 

+ “Importing the Current Driver Packages” on page 17 

¢ “Installing the Driver Packages” on page 18 

+ “Configuring the Driver Settings” on page 19 

+ “Configuring the Driver Policies” on page 19 

+ “Deploying the Driver” on page 19 

¢ “Starting the Driver” on page 20 


NOTE: You should not create driver objects using the new Identity Manager 4.0 and later 
configuration files through iManager. This method of creating driver objects is no longer supported. To 
create drivers, you now need to use the new package management features provided in Designer. 


Importing the Current Driver Packages 


The driver packages contain the items required to create a driver, such as policies, entitlements, 
filters, and Schema Mapping policies. These packages are only available in Designer. You can 
upgrade any package that is installed if there is a newer version of the package available. Before 
creating a driver object in Designer, it is recommended to have the latest packages in the Package 
Catalog. Designer prompts you for importing the required packages when it creates the driver object. 
For more information on upgrading packages, see “Upgrading Installed Packages”in the NetIQ 
Designer for Identity Manager Administration Guide. 


To verify you have the most recent version of the driver packages in the Package Catalog: 


1 Open Designer. 
2 In the toolbar, click Help > Check for Package Updates. 
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3 Click OK to update the packages 

or 

Click OK if the packages are up-to-date. 
4 Inthe Outline view, right-click the Package Catalog. 
5 Click Import Package. 


13 Project Ez Qutine £3 CARE 
= $ test 
e Ss 
Ben Import Package... 
< IS) Identity Vault 
E server 
62 Driver Set 
3) Default Notification Collection 


6 Select any Null Service driver packages 
or 
Click Select All to import all of the packages displayed. 


By default, only the base packages are displayed. Deselect Show Base Packages Only to 
display all packages. 


7 Click OK to import the selected packages, then click OK in the successfully imported packages 
message. 


8 After the current packages are imported, continue with “Installing the Driver Packages” on 
page 18. 


Installing the Driver Packages 


After you have imported the current driver packages into the Package Catalog, you can install the 
driver packages to create a new driver. 


1 In Designer, open your project. 


N 


In the Modeler, right-click the driver set where you want to create the driver, then click New > 
Driver. 


Select Null Service Base, then click Next. 
On the Null Service page, specify a name for the driver, then click Next. 


Review the summary of tasks that will be completed to create the driver, then click Finish. 


oun Aà O 


After the driver packages are installed, if you want to change the configuration of the Role-Based 
Entitlement driver, continue to “Configuring the Driver Settings” on page 19. 


or 


If you do not want to change the configuration of the driver, continue to “Deploying the Driver” on 
page 19. 


Creating a New Null Service Driver Object 


Configuring the Driver Settings 


After you installed the driver packages, the Null Service driver will run. However, there are many 
configuration settings that you can use to customize and optimize the driver. The settings are divided 
into categories such as Driver Configuration, Engine Control Values, and Global Configuration Values 
(GCVs). The settings are described in Appendix A, “Driver Properties,” on page 35. 


If you do not have the Driver Properties page displayed in Designer: 
1 Open your project. 


2 In the Modeler, right-click the driver icon bd or the driver line, then select Properties. 
3 Make the changes you want, then continue to “Configuring the Driver Policies” on page 19. 


Configuring the Driver Policies 


The basic driver configuration does not include any policies. To have the driver perform any work, you 
need to create the appropriate policies. For information about creating policies, see the Net/Q Identity 
Manager - Using Designer to Create Policies guide. 


After you have created the appropriate policies, continue with “Deploying the Driver” on page 19. 


Deploying the Driver 
After a driver is created in Designer, it must be deployed into the Identity Vault. 


1 In Designer, open your project. 


2 In the Modeler, right-click the driver icon bl or the driver line, then select Live > Deploy. 


3 If you are authenticated to the Identity Vault, skip to Step 5; otherwise, specify the following 
information, then click OK: 


+ Host: Specify the IP address or DNS name of the server hosting the Identity Vault. 
+ Username: Specify the DN of the user object used to authenticate to the Identity Vault. 
+ Password: Specify the user's password. 

4 Read the deployment summary, then click Deploy. 

5 Read the successful message, then click OK. 

6 Click Define Security Equivalence to assign rights to the driver. 


The driver requires rights to objects within the Identity Vault. The Admin user object is most often 
used to supply these rights. However, you might want to create a DriversUser (for example) and 
assign security equivalence to that user. Whatever rights that the driver needs to have on the 
server, the DriversUser object must have the same security rights. 


6a Click Add, then browse to and select the object with the correct rights. 
6b Click OK twice. 
7 Click Exclude Administrative Roles to exclude users that should not be synchronized. 


You should exclude any administrative User objects (for example, Admin and DriversUser) from 
synchronization. 


7a Click Add, then browse to and select the user object you want to exclude, then click OK. 
7b Repeat Step 8a for each object you want to exclude, then click OK. 
8 Click OK. 
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Starting the Driver 


When a driver is created, it is stopped by default. To make the driver work, you must start the driver 
and cause events to occur. Identity Manager is an event-driven system, so after the driver is started, 
it won't do anything until an event occurs. 


To start the driver: 
1 In Designer, open your project. 
2 In the Modeler, right-click the driver icon bl or the driver line, then select Live > Start Driver. 


For information about management tasks for the driver, see Chapter 6, “Managing the Driver,” on 
page 33. 


Activating the Driver 


The Identity Manager driver for Null Service does not need a separate activation. If you create the 
driver in a driver set where you have already activated the Identity Manager server and service 
drivers, the driver inherits the activation from the driver set. 


If you create the driver in a driver set that has not been previously activated, the driver will run in the 
evaluation mode for 90 days. You must activate the driver during the evaluation period; otherwise, the 
driver will be disabled. If you try to run the driver, ndstrace displays an error message indicating that 
you need to reactivate the driver to use it. For information on activation, refer to Activating Identity 
Manager in NetIQ Identity Manager Setup Guide for Linux or Activating Identity Manager in NetIQ 
Identity Manager Setup Guide for Windows. 


Adding Packages to an Existing Driver 


You can add new functionality to an existing driver by adding new packages to an existing driver. 


1 Right-click the driver, then click Properties. 
2 Click Packages, then click the Add Packages icon +. 


3 Select the packages to install. If the list is empty, there are no available packages to install. 
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® Select ELERTE 


Available Packages 


Password Management Notification Te... 
Password Expiration Notification Templ... 
Job Default Notification Templates 


4 (Optional) Deselect the Show only applicable package versions option, if you want to see all 
available packages for the driver, then click OK. 


This option is only displayed on drivers. By default, only the packages that can be installed on 
the selected driver are displayed. 


5 Click Apply to install all of the packages listed with the Install operation. 


Package Management há 
Installed Packages + Y 

Package versi... Upgra... Operation 

O Password Synchronization Notificatio... 0.2.0 Select Operation... 

© Provisioning Notification Templates 0.2.0 Install 

OPassword Management Notification T... 0.2.0 Install 

Password Expiration Notification Tem... 0.2.0 Install 

© Job Default Notification Templates 0.2.0 Install 


6 (Conditional) Fill in the fields with appropriate information to install the package you selected for 
the driver, then click Next. 


7 Read the summary of the installation, then click Finish. 


8 Click OK to close the Package Management page after you have reviewed the installed 
packages. 
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Package Management 


Installed Packages + Í 
Package Versi... Upgra... Operation 
6 Job Default Notification Templates 0.2.0 Select Operation... 
O Password Expiration Notification Tem... 0.2.0 Select Operation... 
O Password Management Notification T... 0.2.0 Select Operation... 
O Password Synchronization Notificatio... 0.2.0 Select Operation... 
® Provisioning Notification Templates 0.2.0 Select Operation... 


9 Repeat Step 1 through Step 8 for each driver where you want to add the new packages. 
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Creating a New Loopback Service Driver 


After the Loopback Service driver files are installed on the server where you want to run the driver 
(see Chapter 2, “Installing the Driver Files,” on page 15), you can create the driver in the Identity 
Vault. You do so by importing the driver packages and then modifying the driver configuration to suit 
your environment. 


+ 


+ 


+ 


+ 


“Creating the Driver in Designer” on page 23 

“Activating the Driver” on page 28 

“Adding Packages to an Existing Driver” on page 28 

“Viewing Permission Collection and Reconciliation Service Configuration Objects” on page 29 


Creating the Driver in Designer 


You create the Loopback Service driver by installing the driver packages and then modifying the 
configuration to suit your environment. After you create and configure the driver, you need to deploy it 
to the Identity Vault and start it. 


+ 


+ 


+ 


+ 


+ 


+ 


“Importing the Current Driver Packages” on page 23 
“Installing the Driver Packages” on page 24 
“Configuring the Driver Settings” on page 26 
“Configuring the Driver Policies” on page 26 
“Deploying the Driver” on page 27 

“Starting the Driver” on page 27 


Importing the Current Driver Packages 


You can update the driver packages at any time and store them in the Package Catalog. Packages 
are initially imported into the Package Catalog when you create a project, import a project, or convert 
a project. It is important to verify you have the latest packages imported into the Package Catalog 
before you install the driver. 


To verify you have the most recent version of the driver packages in the Package Catalog: 


1 


Open Designer. 


2 In the toolbar, click Help > Check for Package Updates. 


3 Click OK if there are no package updates 


or 
Click OK to import the package updates. 


4 In the Outline view, right-click the Package Catalog. 


Click Import Package. 
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Select any Loopback Service driver packages 
or 
Click Select All to import all of the packages displayed. 


By default, only the base packages are displayed. Deselect Show Base Packages Only to 
display all packages. 


IMPORTANT: If you want the driver to support the Permission Collection and Reconciliation 
Service functionality, ensure you import the following packages to the driver: 


+ NOVLLBACKB_ 2.0.0 (Base Package) 
+ NOVLLBACKENT_2.0.0 (Entitlements Package) 
+ NOVLACOMSET_2.0.0 (Common Settings Advanced Edition Package) 


For information about the Permission Collection and Reconciliation service, see “Synchronizing 
Permission Changes from the Connected Systems ” in the NetIQ Identity Manager Driver 
Administration Guide. 


Click OK to import the selected packages, then click OK in the successfully imported packages 
message. 


After the current packages are imported, continue with “Installing the Driver Packages” on 
page 18. 


Installing the Driver Packages 


After you have imported the current driver packages into the Package Catalog, you can install the 
driver packages to create a new driver. 


1 
2 


3 


In Designer, open your project. 


In the Modeler, right-click the driver set where you want to create the driver, then click New > 
Driver. 


Select Loopback Base, then click Next. 


4 Select the optional features to install for the Loopback Service driver. 


There is only one option. It is selected by default. 


+ Loopback Entitlements: This package contains policies that allow Identity Manager to 
consume CSV files containing Identity Vault permission information, dynamically create an 
entitlement and dynamic resource for each permission type, and load the permission data 
as entitlement values into Identity Manager Role-Based Provisioning Module. This package 
also contains GCVs to control the resource mapping. Select this package if you want the 
driver to support custom and administrator-defined entitlements. For more information 
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about the Permission Collection and Reconciliation Service functionality, see 
“Synchronizing Permission Changes from the Connected Systems ” in the NetIQ Identity 
Manager Driver Administration Guide. 


NOTE: If you are enabling Permission Collection and Reconciliation service, ensure that 
you upgrade the Managed System Gateway driver version to 4.0.0.6. 


5 Click Next. 


6 (Conditional) If there are package dependencies for the packages you selected to install, you 
must install them to install the selected package. Click OK to install the package dependencies 
listed. 


7 (Conditional) If not already configured, fill in the following fields on the Common Settings 
Advanced Edition page, then click Next: 


NOTE: This page is only displayed if you installed the Common Settings Advanced Edition 
package. 


+ User Application Provisioning Services URL: Specify the User Application Identity 
Manager Provisioning URL. 


+ User Application Provisioning Services Administrator: Specify the DN of the User 
Application Administrator user. This user should have the rights for creating and assigning 
resources. For more information, see “Setting Up Administrative User Accounts” in the 
NetIQ Identity Manager Driver Administration Guide. 


8 On the Install Loopback page, specify a name for the driver, then click Next. 


9 (Conditional) On the Entitlements Name to CSV File Mappings page, click the Add Name to File 
Mapping + icon to populate the page with the entitlement configuration options. 


Identity Manager uses the CSV file to map Loopback entitlements into corresponding resources 
in the Identity Manager catalog. 


NOTE: This page is only displayed if you selected to install the Entitlements package. 


+ Entitlement Name: Specify a descriptive name for the entitlement to map it to the CSV file 
that contains entitlement details. 


Entitlement Name is the name of the entitlement. For example, you can define an 
entitlement called Printer. 


This parameter is used to create a resource in the User Application. 


+ Entitlement Assignment Attribute: Specify a descriptive name for the assignment 
attribute for an entitlement. 


Entitlement Assignment Attribute holds the entitlement values in the Identity Vault. For 
example, this parameter can hold an attribute called Printer Control. 


You must add this parameter to Field Names in the Driver Parameters page or modify it in 
driver settings after creating the driver. 


+ CSV File: Specify the location of the CSV file. This file must be located on the same server 
as the driver. This file contains the values for Identity Vault entitlements. 


+ Multi-valued?: Set the value of this parameter to True if you want to assign resources and 
entitlements multiple times with different values to the same user. Otherwise, set it to False. 


10 Click Next. 
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11 Review the settings and click Finish to create the driver. 


12 After the driver is created, if you want to change the configuration settings of the driver, continue 
to “Configuring the Driver Settings” on page 26. If you do not want to change the configuration of 
the driver, continue to “Deploying the Driver” on page 27. 


Configuring the Driver Settings 


After you have installed the driver packages, the Loopback Service driver will run. However, there are 
many configuration settings that you can use to customize and optimize the driver. The settings are 
divided into categories such as Driver Configuration, Engine Control Values, and Global 
Configuration Values (GCVs). The settings are described in Appendix A, “Driver Properties,” on 
page 35. 


To access the Driver Properties page in Designer: 
1 Open your project. 


2 In the Modeler, right-click the driver icon bl or the driver line, then select Properties. 


3 (Conditional) Click GCVs > Entitlements and review the following settings: 


NOTE: These settings are only displayed if you installed the Entitlements package. 


+ Enable Permission Collection and Reconciliation: Select the value of this parameter to 
True for allowing permission collection and entitlement assignment. By default it is set to 
False, which allows the driver to override any other conditions to reconcile custom 
entitlements. 


+ Enable Permission Reconciliation for Group Entitlement: Ensure the value of this 
parameter is set to Yes to enable the driver to assign group entitlements. By default, the 
value is set to Yes. 


+ Enable Permission Reconciliation for all Custom Entitlements: If the value of this 
parameter is set to No, it allows you to select specific custom entitlements for reconciling 
them. By default, it is set to Yes, which allows reconciling of all custom entitlements. 


+ Add Custom Entitlements for Reconciliation: This parameter is presented if the value of 
Enable Permission Reconciliation for all Custom Entitlements is set to No. 


Click the Add + icon to add custom entitlements you want to selectively reconcile and 
specify Assignment Attribute Name for them. 


NOTE: Ensure that Entitlement Assignment Attributes values are added to the Field Names 
parameter in the driver configuration if they are not added initially during driver creation. 


4 Click Apply. 
5 Modify any other settings as necessary. 
6 Deploy the driver to the Identity Vault. Proceed to “Deploying the Driver” on page 27. 


Configuring the Driver Policies 


The basic driver configuration does not include any policies. To have the driver perform any work, you 
need to create the appropriate policies. For information about creating policies, see the Net/Q Identity 
Manager - Using Designer to Create Policies guide. 


After you have created the appropriate policies, continue to “Deploying the Driver” on page 27. 
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Deploying the Driver 
After a driver is created in Designer, it must be deployed into the Identity Vault. 
1 In Designer, open your project. 


2 In the Modeler, right-click the driver icon bl or the driver line, then select Live > Deploy. 


3 If you are authenticated to the Identity Vault, skip to Step 5; otherwise, specify the follow 
information: 


+ Host: Specify the IP address or DNS name of the server hosting the Identity Vault. 
+ Username: Specify the DN of the user object used to authenticate to the Identity Vault. 
+ Password: Specify the user's password. 

Click OK. 

Read the deployment summary, then click Deploy. 

Read the successful message, then click OK. 


N © of a 


Click Define Security Equivalence to assign rights to the driver. 


The driver requires rights to objects within the Identity Vault and to the input and output 
directories on the server. The Admin user object is most often used to supply these rights. 
However, you might want to create a DriversUser, for example, and assign security equivalence 
to that user. For more information about defining a Security Equivalent User in objects for drivers 
in the Identity Vault, see “Establishing a Security Equivalent User” in the NetIQ Identity Manager 
Security Guide. 


For receiving events from the Identity Vault, ensure that the driver’s Security Equals DN has the 
following rights in the Identity Vault: 


+ Entry: Browse rights. 
¢ Attributes: Read rights. 
7a Click Add, then browse to and select the object with the correct rights. 
7b Click OK twice. 
8 Click Exclude Administrative Roles to exclude users that should not be synchronized. 


You should exclude any administrative User objects (for example, Admin and DriversUser) from 
synchronization. 


8a Click Add, then browse to and select the user object you want to exclude. 

8b Click OK. 

8c Repeat Step 8a and Step 8b for each object you want to exclude, then click OK. 
9 Click OK. 


Starting the Driver 


If you configured the driver with the Permission Collection and Reconciliation service, ensure the 
driver meets the following requirements before it is started for the first time: 


+ The Entitlement value CSV files are available in the locations specified during driver 
configuration. You can check the location you specified by examining the 
PermissionNameToFile mapping table under the driver in the Outline View of Designer. 


+ The driver administrator and the User Application Resource Administrator are added to a 
Password Policy. 
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To start the driver, in the Modeler, right-click the driver icon Y or the driver line, then select Live > 
Start Driver. 


For information about management tasks with the driver, see Chapter 6, “Managing the Driver,” on 
page 33. 


Activating the Driver 


If you created the driver in a driver set where you already activated the Identity Manager engine and 
service drivers, the driver inherits the activation. If you created the driver in a driver set that has not 
been activated, you must activate the driver within 90 days. Otherwise, the driver stops working. 


For information on activation, refer to Activating Identity Manager in NetlQ Identity Manager Setup 
Guide for Linux or Activating Identity Manager in NetIQ Identity Manager Setup Guide for Windows.. 


Adding Packages to an Existing Driver 


You can add new functionality to an existing driver by adding new packages to it. 


1 Right-click the driver, then click Properties. 


Click Packages, then upgrade the already installed Loopback Base package. 

2a Select the package from the list of packages, then click the Select Operation cell. 
2b Click Upgrade from the drop-down list, then click Apply. 

2c Click OK to close the Package Management page. 
Click the Add Packages icon +. 


4 Select the packages to install. 


NOTE: The Loopback Entitlements package contains the content for Permission Collection and 
Reconciliation service. Select this package to enable this service. 


(Optional) If you want to see all available packages for the driver, clear the Show only applicable 


package versions option, if you want to see all available packages for the driver, then click OK. 


This option is only displayed on drivers. By default, only the packages that can be installed on 
the selected driver are displayed. 


7 Click Apply to install all of the packages listed with the Install operation. 


(Conditional) Fill in the fields with appropriate information to install the package you selected for 
the driver, then click Next. 


Read the summary of the installation, then click Finish. 


Click OK to close the Package Management page after you have reviewed the installed 
packages. 


Modify the driver configuration settings. See “Configuring the Driver Settings” on page 26. 
Deploy the driver. See “Deploying the Driver” on page 27. 
Start the driver. See “Starting the Driver” on page 27. 


(Conditional) Review the newly created or modified configuration objects. See “Viewing 
Permission Collection and Reconciliation Service Configuration Objects” on page 29. 


Repeat Step 1 through Step 8 for each driver where you want to add the new packages. 
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Viewing Permission Collection and Reconciliation 
Service Configuration Objects 


NOTE: This section contains information about verifying the objects that are either newly created or 
modified as part of enabling the Permission Collection and Reconciliation service. If this service is not 
enabled for the driver, skip this section. 


After the driver is deployed and configured with the new Permission Collection and Reconciliation 
service, verify that the driver correctly creates and updates the entitlements information in the Identity 
Vault. 


Complete the following steps: 


1 In iManager, click (7) to display the Identity Manager Administration page. 
2 In the Administration list, click Identity Manager Overview. 


2a (Conditional) If the driver set is not listed on the Driver Sets tab, use the Search In field to 
search for and display the driver set. 


2b Click the driver set to open the Driver Set Overview page. 
3 Click the Loopback Service driver icon. 


4 Click the Jobs tab. The PermissionOnboarding job is displayed in the Jobs page. For more 
information, see “PermissionOnboarding Job Object” in the NetlQ Identity Manager Driver 
Administration Guide. 

5 Click Advanced > Mapping Tables. The DNs of the Entitlement objects are displayed in the 
Mapping Table page based on the InitEntittementResourceObjects policy and data from the 
configuration objects. For more information, see “Mapping Table Objects” in the Net/Q Identity 
Manager Driver Administration Guide. 


6 Click Global Config Values to display the driver set GCV page. 


This page contains two sets of GCVs that are consumed by the drivers in the driver set. Ensure 
that you configure them for the driver set containing the drivers for Permission Collection and 
Reconciliation service. 


+ NOVLCOMSET: This GCV object contains the following: 


+ User Container: Specifies the Identity Vault container where the users are added, if 
they don't already exist in the Identity Vault. This value is the default value for all 
drivers in the driver set. 

+ Group Container: Specifies the Identity Vault container where the groups are added, if 
they don't already exist in the Identity Vault. This value is the default value for all 
drivers in the driver set. 


+ NOVLACOMSET: This GCV object contains the following: 


+ User Application Provisioning Services URL: Specifies the User Application 
Identity Manager Provisioning URL. 


+ User Application Provisioning Administrator: Specifies the DN of the provisioning 
administrator. This user should have the rights for creating and assigning resources. 
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Upgrading an Existing Driver 


The following sections provide information to help you upgrade an existing driver: 


+ “Supported Upgrade Paths” on page 31 
+ “What's New” on page 31 
+ “Upgrading the Driver” on page 31 


Supported Upgrade Paths 


You can upgrade from any 3.x version of the Null Service driver or Loopback Service driver. 
Upgrading a pre-3.x version of the driver directly to version 4.6.0.0 is not supported. 


What's New 


Version 4.6.0.0 of the driver does not include any new features. 


Upgrading the Driver 


There is no separate procedure for upgrading the Null Service or Loopback Service driver shims. The 
driver shims are upgraded with a new version of Identity Manager engine. 


To upgrade the installed packages for a driver, perform the following actions in Designer: 


1 Download the latest available packages. 


To configure Designer to automatically read the package updates when a new version of a 
package is available, click Windows > Preferences > NetlQ > Package Manager > Online 
Updates in Designer. However, if you need to add a custom package to the Package Catalog, 
you can import the package . jar file. For more information about creating custom packages, 
see Developing Custom Packages in the NetIQ Identity Manager Driver Administration Guide. 


2 Upgrade the installed packages. 
2a Open the project containing the driver. 


2b Right-click the driver for which you want to upgrade an installed package, then click Driver > 
Properties. 


2c Click Packages. 


If there is a newer version of a package, there is check mark displayed in the Upgrades 
column. 


2d Click Select Operation for the package that indicates there is an upgrade available. 
2e From the drop-down list, click Upgrade. 
2f Select the version that you want to upgrade to, then click OK. 


NOTE: Designer lists all versions available for upgrade. 


2g Click Apply. 
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2h (Conditional) Fill in the fields with appropriate information to upgrade the package, then click 
Next. 


Depending on which package you selected to upgrade, you must fill in the required 
information to upgrade the package. 


2i Read the summary of the packages that will be installed, then click Finish. 
2j Review the upgraded package, then click OK to close the Package Management page. 


For detailed information, see the Upgrading Installed Packages in the Net/Q Analyzer for 
Identity Manager Administration Guide. 
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Managing the Driver 


As you work with the Null Service driver and the Loopback Service driver, there are a variety of 
management tasks you might need to perform, including the following: 


+ 


+ 


+ 


+ 


+ 


+ 


+ 


+ 


+ 


Starting and stopping the driver 

Viewing driver version information 

Using Named Passwords to securely store passwords associated with the driver 
Monitoring the driver’s health status 

Backing up the driver 

Inspecting the driver’s cache files 

Viewing the driver’s statistics 

Using the DirXML Command Line utility to perform management tasks through scripts 


Securing the driver and its information 


Because these tasks, as well as several others, are common to all Identity Manager drivers, they are 
included in one reference, the Net/Q Identity Manager Driver Administration Guide. 
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Driver Properties 


This section provides information about the Driver Configuration and Global Configuration Values 
properties for the Null Service driver and the Loopback Service driver. These are the only unique 
properties for drivers. All other driver properties (Named Password, Engine Control Values, Log 
Level, and so forth) are common to all drivers. For information about the common properties, see 
“Driver Properties” in the NetIQ Identity Manager Driver Administration Guide. 


The properties information is presented from the viewpoint of iManager. If a field is different in 
Designer, it is marked with a Designer icon. 

+ “Driver Configuration” on page 35 

+ “Global Configuration Values” on page 38 


Driver Configuration 


In iManager: 


1 In iManager, click (7) to display the Identity Manager Administration page. 
2 Open the driver set that contains the driver whose properties you want to edit: 
2a In the Administration list, click Identity Manager Overview. 


2b lf the driver set is not listed on the Driver Sets tab, use the Search In field to search for and 
display the driver set. 


2c Click the driver set to open the Driver Set Overview page. 


3 Locate the driver icon, then click the upper right corner of the driver icon to display the Actions 
menu. 


4 Click Edit Properties to display the driver's properties page. 


5 Click Driver Configuration. 
In Designer: 

1 Open a project in the Modeler. 

2 Right-click the driver icon Y or line, then select click Properties > Driver Configuration. 
The Driver Configuration options are divided into the following sections: 


+ “Driver Module” on page 36 

+ “Driver Object Password” on page 36 
+ “Authentication” on page 36 

¢ “Startup Option” on page 37 

¢ “Driver Parameters” on page 37 

+ “ECMAScript” on page 37 

+ “Global Configurations” on page 37 
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Driver Module 


The Driver Module section lets you change the driver from running locally to running remotely or the 
reverse. 


Option Description 


Java Used to specify the name of the Java class that is instantiated for the shim 
component of the driver. This class can be located in the classes directory as 
a class file, or in the lib directory as a . jar file. If this option is selected, the 
driver is running locally. 


The name of the Java class for the Null Service driver is: 
com.novell.nds.dirxml.driver.nulldriver .Nul1DriverShim 
The name of the Java class for the Loopback Service driver is: 
com.novell.nds.dirxml.driver.loopback.LoopbackDriverShim 


Native Used to specify the name of the .d11 file that is instantiated for the application 
shim component of the driver. If this option is selected, the driver is running 
locally. 


Connect to Remote Loader This setting does not apply to the Null Service driver or the Loopback Service 
driver. You cannot use these drivers with the Remote Loader. 


Driver Object Password 


Option Description 

Driver Object Password This setting does not apply to the Null Service driver or the Loopback Service 
driver. 

Authentication 


The Authentication section stores the information required to authenticate to the connected system 
and to the Remote Loader. The Null Service driver and Loopback Service driver function only against 
the Identity Vault and cannot use the Remote Loader. Therefore, the authentication settings do not 


apply. 


The only setting that applies to the drivers is the cache setting. 


Option Description 

Driver Cache Limit Specify the maximum event cache file size (in KB). If it is set to zero, the file 
(kilobytes) size is unlimited. 

or Click Unlimited to set the file size to unlimited in Designer. 


Cache limit (KB) 
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Startup Option 


The Startup Option section enables you to set the driver state when the Identity Manager server is 


started. 


Option 
Auto start 


Manual 


Disabled 


Do not automatically 
synchronize the driver 


Description 


The driver starts every time the Identity Manager server is started. 


The driver does not start when the Identity Manager server is started. The 
driver must be started through Designer or iManager. 


The driver has a cache file that stores all of the events. When the driver is set to 
Disabled, this file is deleted and no new events are stored in the file until the 
driver state is changed to Manual or Auto Start. 


This option applies only if the driver is deployed and was previously disabled. If 
this is not selected, the driver re-synchronizes the next time it is started. 


Driver Parameters 


The Driver Parameters section lets you configure the driver-specific parameters. 


Parameter 


Driver parameters for 
server 


Edit XML 

Driver Options 
Subscriber Options 
Publisher Options 


Publisher Heartbeat Interval 


ECMAScript 


Description 


Displays or specifies the server name or IP address of the server whose driver 
parameters you want to modify. 


Opens an editor so that you can edit the driver’s configuration file. 
There are no general driver options. 

There are no general Subscriber channel options. 

There are no Publisher channel options. 


Configures the driver to send a periodic status message on the Publisher 
channel when there has been no Publisher traffic for the given number of 
minutes. The default is every minute. 


Enables you to add ECMAScript resource files. The resources extend the driver’s functionality when 
Identity Manager starts the driver. 


Global Configurations 


Displays an ordered list of Global Configuration objects. The objects contain extension GCV 
definitions for the driver that Identity Manager loads when the driver is started. You can add or 
remove the Global Configuration objects, and you can change the order in which the objects are 


executed. 
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Global Configuration Values 


There are no predefined global configuration values (GCVs) specific to the Loopback Service driver 
and Null Service driver. As with all drivers, you can add GCVs that you need. 


In iManager: 


1 In iManager, click (7) to display the Identity Manager Administration page. 
2 Open the driver set that contains the driver whose properties you want to edit: 
2a In the Administration list, click Identity Manager Overview. 


2b Ifthe driver set is not listed on the Driver Sets tab, use the Search In field to search for and 
display the driver set. 


2c Click the driver set to open the Driver Set Overview page. 


3 Locate the driver icon, then click the upper right corner of the driver icon to display the Actions 
menu. 


4 Click Edit Properties to display the driver's properties page. 
5 Click Global Config Values. 


In Designer: 

1 Open a project in the Modeler. 

2 Right-click the driver icon bl or line, then select Properties > Global Configuration Values. 
The global configuration values are organized as follows: 


¢ “Entitlements” on page 38 
Entitlements 


Permission Collection and Reconciliation Service 


If you installed the Entitlements package for using the Permission Collection and Reconciliation 
service, iManager and Designer display the following options. For information about the Permission 
Collection and Reconciliation service, see “Synchronizing Permission Changes from the Connected 
Systems ” in the NetIQ Identity Manager Driver Administration Guide. 


+ Enable Permission Collection and Reconciliation: Set the value of this parameter to true for 
resource onboarding and entitlement assignment. By default, the value is set to false, which 
allows the driver to override any other conditions to onboard custom entitlements. 


+ Enable Permission Reconciliation for Group Entitlement: Ensure the value of this parameter 
is set to Yes to enable the driver to assign group entitlements. By default, the value is set to Yes. 


+ Enable Permission Reconciliation for all Custom Entitlements: If the value of this 
parameter is set to No, it allows you to select specific custom entitlements for reconciling them. 
By default, it is set to Yes, which allows reconciling of all custom entitlements. 


+ Add Custom Entitlements for Reconciliation: This parameter is presented if the value of 
Enable Permission Reconciliation for all Custom Entitlements is set to No. 


Click the Add + icon to add custom entitlements you want to selectively reconcile and specify 
Assignment Attribute Name for them. 
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Advanced Settings 


Show Advanced Options: Select show to display the advanced configuration options for the driver. 


Role Mapping 
The Role Mapping Administrator allows you to map business roles with IT roles. 


+ Enable role mapping: Select Yes to make this driver visible to the Role Mapping Administrator. 


+ Allow mapping of groups: Select Yes if you want to allow mapping of groups in the Role 
Mapping Administrator. 


Resource Mapping 


The Roles Based Provisioning Module allows you to map resources to users. For more information, 
see the NetIQ Identity Manager - User's Guide to the Identity Applications. 


+ Enables resource mapping: Select Yes to make this driver visible to the Roles Based 
Provisioning Module. 


+ Allow mapping of groups: Select Yes if you want to allow mapping of groups in the Roles 
Based Provisioning Module. 
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